In early November the Labour Party experienced two cyber-attacks, the Distributed Denial of Service (DDoS) attacks were successfully thwarted but the story made headlines across the UK. Over Christmas 2014 attacks on the PlayStation gaming network used networks of compromised home routers as the source of the DDoS attack; and with the explosion in network connectivity of home devices there is an increasing source of potential zombie machines infected by malware.
Wait, what? DDoS and zombies?
DDoS attacks generally use networks of computers compromised by malware; these networks are called Botnets and each of the compromised computers - called a zombie - generates the internet traffic for the attack, often without the legitimate owners’ knowledge.
Dr Duncan Hodges, Senior Lecturer in Cyberspace Operations, explains how it works, “A DDoS attack involves a whole set of bots or ‘zombie machines’ that make what appear to be valid requests from a website. This causes a huge surge in traffic and requests which seem legitimate, so the website will try to fulfil them causing massive problems.
“These sort of DDoS attacks can be used by sophisticated cyber actors, despite their simplicity, for two reasons. Firstly they create a lot of noise and interest in one area, and this distraction means they can get in in another way, sneaking in a side door. Secondly they could be a test run, creating an attack to see how the organisation responds, what processes they follow and how quickly they involve the National Cyber Security Centre. This information gathering mission will be looking at the window of opportunity attackers may have for other activity.”
This has made the possibility of an internet-enabled fridge (smart fridge) being used to attack an organisation a reality, but it’s not just limited to zombie fridges attacking organisations. Smart fridges are just one example of an Internet of Things (IoT) device - devices that are connected to your network, and a network that is connected to the internet, all the time.
In a broad sense the IoT includes everything that connects to the internet, but in reality it is used to define everyday objects that have computing devices embedded in them so that they can send and receive data over the internet. This includes your smart phone, watch, fitness tracker, video doorbell and speakers – all objects that make our everyday lives easier and simpler.
Why should it matter?
The problem lies in our rate of adoption of smart technology. All too often we’re so keen to have the new tech that we don’t stop and think about the risks and the vulnerabilities that might exist in these devices. The global market for IoT technology was worth an estimated 194.5 billion US dollars in 2017 (Statistica, 2018a), and it is predicted that the number of households with smart devices in the UK will rise from 8.4% in 2017 to 26.8 % by 2022 (Statistica, 2018b).
There are lots of benefits to IoT devices, they can save individuals time, money and energy, as well as providing increased convenience and flexibility within daily life. For organisations, using IoT devices can also result in process improvements, efficiency gains and emission reductions. But, the IoT is in its infancy and such technology presents risks; not only to data security but also to personal safety.
In order to maximise the benefits that such technologies can bring to individuals, organisations and society, it is vital to understand the factors that may influence their adoption and use, and how these may contribute to (or, indeed, mitigate) the potential risks.
The mains risks revolve around device security and integrity. You probably have anti-virus software running on your PC or laptop, but what about on your smart speakers or lights? Very few devices have the capability to host antivirus software and this is part of the issue, there may also be flaws in the actual software. And then there’s the human behaviour factor, as individuals we’re not always on top of updating the software on our devices and sometimes our passwords aren’t the most secure - which leaves our devices open to potentially becoming a zombie.
For organisations, the problem can be even more acute. Criminals can gain a lot by hacking into an organisation and accessing company records. Data is lucrative and there are numerous ways for criminals to hack into organisations.
In 2017, a casino had its database of ‘high rollers’ stolen by a hacker who compromised the internet-enabled thermometer in the atrium fish tank and used it as a foothold to compromise the rest of the network. Once in the network he found the high-roller database and pulled it across the network, out of the thermostat, and up to the cloud.
Dr Hodges, highlights how inadequate processes can play a part in exposing organisations to security threats. “In 2017 a petrochemical site was compromised with a ransomware infection. The organisation cleaned it all up and got everything working again, but they had forgotten to clean the smart coffee machine which then re-infected the entire plant!”
Organisations also need to consider their use of Industrial Control Systems (ICS). ICSs are computers that control the world around us. They are responsible for the lighting at the theatre, the air conditioning in your office, and the robots on a manufacturing production line. It is easier than you think to find these systems on the Internet – there are a number of websites that provide easy to use functionality to find ICSs. In the article about the casino, Robert Hannigan shares highlights a bank that had been hacked through its CCTV cameras because these type of devices are often bought purely on cost.
With the rise of cloud computing and online systems to store data organisations need to consider who can access that data and how. Does your organisation have a Bring Your Own Device policy? Do you allow employees to connect phones to the network? Could smart watches and fitness trackers connected to those phones provide an opportunity to attack your network? Data breaches not only disrupt business but they can be expensive and cause reputational damage.
What can I do to mitigate the risk?
If we are to adopt an increasing number of IoT devices into our daily lives, either personally or at work, then we need to understand the evolving risks and be prepared to play our part in mitigating them.
Here are some activities you and your organisation can implement to mitigate the risks from IoT devices:
- Do your research before you buy a new IoT device and consider waiting before you buy. You don’t have to have the newest tech straight away, and waiting for some of the bugs to be resolved could improve your safety and security.
- When you buy a new device check to see what it transmits over the internet - if you don’t want to interact with a device remotely, turn off the connectivity.
- Regularly check the security settings and change them if necessary.
- Keep software and patches up-to-date.
- Protect your wireless networks with strong passwords.
- Develop an organisational view of cyber, the domain, the drivers and constraints.
- Ensure employees are aware of your cybersecurity policies and risks regarding phishing.
- Implement best practice on password security.
- Review who really needs access to systems and data.
And finally…
There isn’t a silver bullet to protect us from the risks from IoT devices, and as the devices and criminal activity continues to evolve we need to ensure we are taking all the necessary steps to protect both our personal and organisational data. As with most things, education is key.
Share this post